Security Bulletin

Summary

The security issue was originally published as a high security vulnerability and based on our ongoing technical assessment we have reduced the severity to medium. The vulnerability is in the licensing functionality used by some IBM Rational products. The products/versions that are affected are listed below and fixes are available per the table below.

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.

Follow this link for more information (requires login with your IBM ID)

Description: The IBM Rational licensing implementation for Windows platforms is based on Microsoft COM framework. The licensing functionality is exposed to certain IBM Rational Programs through four different COM objects. The currently known attack vectors include opening local HTML files and allowing scripting in the "My Computer" zone or permitting the running of unsafe ActiveX controls in Internet Explorer. These are both considered unsafe behaviors.

Based on additional technical assessment of this security issue, IBM has lowered the base severity rating from high (CVSS 7.2), as originally reported, to medium (CVSS 6.2). At this time we have not identified a high risk exploitation vector for this vulnerability and we have no information indicating that there is an immediate risk of exploitation. IBM can not rule out other valid vectors and are continuing our evaluation; for this reason we have decided to inform our clients about this potential security issue and recommend that they install the appropriate fix as soon as possible.

As of 4/13/2011, IBM has not received any reports of customer issues related to this security vulnerability. The vulnerability was identified and reported to IBM by a security testing company, DBAPP Security.

Workarounds and Mitigations

References

Related information

Acknowledgement

None

Change History

* 13 April 2011- Removed RCL Kill-bit_v2.zip file and steps as Microsoft's Security Fix has superseded this alternative risk mitigation. * 05 April 2011- Changed base CVSS score, resulting in the advisory severity being lowered from high to medium * 31 March 2011- Incremented RCL kill-bit.zip file to RCL kill-bit_v2.zip. The initial RCL Kill-bit.reg did not include all of the affected CLSIDs. If you have already applied RCL Kill-bit.reg, you will need to apply RCL Kill-bit_v2. * 28 March 2011 - Original copy published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.